Install SSL Web Server Certificate onto CISCO ASA 5520

Problem

Install SSL Web Server Certificate

Install Certificate

Cause

This procedure provides steps for configuring certificates using manual certificate requests. These steps should be repeated for each trustpoint you configure for manual enrollment. When you have completed this procedure, the security appliance will have received a CA certificate for the trustpoint and one or two certificates for signing and encryption purposes. If you use general-purpose RSA keys, the certificate received is for signing and encryption. If you use separate RSA keys for signing and encryption, the certificates received are used for each purpose exclusively.

Solution

To install a certificate into a Cisco ASA 5520 device, perform the following steps:

To do so, use the crypto ca enroll command. The following example shows a certificate and encryption key request for the trustpoint Main, which is configured to use manual enrollment and general-purpose RSA keys for signing and encryption:

hostname (config)# crypto ca enroll Main

% Start certificate enrollment .

% The fully-qualified domain name in the certificate will be: securityappliance.example.com

% Include the device serial number in the subject name? [yes/no]: n

Display Certificate Request to terminal? [yes/no]: y

Certificate Request follows:

MIIBoDCCAQkCAQAwIzEhMB8GCSqGSIb3DQEJAhYSRmVyYWxQaXguY2lzY28uY29t

[ certificate request data omitted ]

jF4waw68eOxQxVmdgMWeQ+RbIOYmvt8g6hnBTrd0GdqjjVLt

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: n

hostname (config)#

4. For each request generated by the crypto ca enroll command, obtain a certificate from the CA represented by the applicable trustpoint. Be sure the certificate is in base-64 format.

5. For each certificate you receive from the CA, use the crypto ca import certificate command. The security appliance prompts you to paste the certificate to the terminal in base-64 format.

6. Verify that the enrollment process was successful using the show crypto ca certificate command. For example, to show the certificate received from trustpoint Main:

hostname/contexta(config)# show crypto ca certificate Main

The output of this command shows the details of the certificate issued for the security appliance and the CA certificate for the trustpoint.

If you use separate RSA keys for signing and encryption, the crypto ca enroll command displays two certificate requests, one for each key. To complete enrollment, acquire a certificate for all certificate requests generated by the crypto ca enroll command.

If you use separate RSA key pairs for signing and encryption, perform this step for each certificate separately. The security appliance determines automatically whether the certificate is for the signing or encryption key pair. The order in which you import the two certificates is irrelevant.

The following example manually imports a certificate for the trustpoint Main:

hostname (config)# crypto ca import Main certificate

% The fully-qualified domain name in the certificate will be: securityappliance.example.com

Enter the base 64 encoded certificate.

End with a blank line or the word "quit"on a line by itself

[ certificate data omitted ]

quit

INFO: Certificate successfully imported

hostname (config)#

Please ensure that you generated a Trustpoint before you install your certificate: SO5088

Legal

DigiCert is the world’s premier provider of high-assurance digital certificates—providing trusted SSL, private and managed PKI deployments, and device certificates for the emerging IoT market. Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs.